[MediaWiki-commits] [Gerrit] operations/puppet[production]: salt: use SHA256 master key fingeprint on newer systems
Faidon Liambotis has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/337189 ) Change subject: salt: use SHA256 master key fingeprint on newer systems .. salt: use SHA256 master key fingeprint on newer systems stretch's salt-minion expects master_finger to be a SHA256 fingerprint rather than an MD5 one. While it's possible to change that with the hash_type argument, MD5 is cryptographically obsolete and shouldn't be relied on, so start using a SHA256 fingerprint instead. Change-Id: Id6315e6ca37234e4bd3c4728b25d35830ef94193 --- M modules/role/manifests/salt/minions.pp 1 file changed, 7 insertions(+), 1 deletion(-) Approvals: Faidon Liambotis: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/role/manifests/salt/minions.pp b/modules/role/manifests/salt/minions.pp index 01d490c..f517428 100644 --- a/modules/role/manifests/salt/minions.pp +++ b/modules/role/manifests/salt/minions.pp @@ -15,7 +15,13 @@ } } else { $master = 'neodymium.eqiad.wmnet' -$master_finger = 'f6:1d:a7:1f:7e:12:10:40:75:d5:73:af:0c:be:7d:7c' +if os_version('debian >= stretch') { +# stretch's salt-minion uses SHA256 instead of MD5 by default. +# while it's possible to set 'hash_type: md5', this is preferrable +$master_finger = 'f6:36:06:73:ca:54:55:c4:68:17:66:13:47:4b:cf:3e:32:71:7a:70:2d:69:b4:e8:3b:f0:d0:ae:d0:4b:4c:f5' +} else { +$master_finger = 'f6:1d:a7:1f:7e:12:10:40:75:d5:73:af:0c:be:7d:7c' +} } $client_id = $::fqdn -- To view, visit https://gerrit.wikimedia.org/r/337189 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Id6315e6ca37234e4bd3c4728b25d35830ef94193 Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis Gerrit-Reviewer: Faidon Liambotis Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: salt: use SHA256 master key fingeprint on newer systems
Faidon Liambotis has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/337189 ) Change subject: salt: use SHA256 master key fingeprint on newer systems .. salt: use SHA256 master key fingeprint on newer systems stretch's salt-minion expects master_finger to be a SHA256 fingerprint rather than an MD5 one. While it's possible to change that with the hash_type argument, MD5 is cryptographically obsolete and shouldn't be relied on, so start using a SHA256 fingerprint instead. Change-Id: Id6315e6ca37234e4bd3c4728b25d35830ef94193 --- M modules/role/manifests/salt/minions.pp 1 file changed, 7 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/89/337189/1 diff --git a/modules/role/manifests/salt/minions.pp b/modules/role/manifests/salt/minions.pp index 01d490c..0381488 100644 --- a/modules/role/manifests/salt/minions.pp +++ b/modules/role/manifests/salt/minions.pp @@ -15,7 +15,13 @@ } } else { $master = 'neodymium.eqiad.wmnet' -$master_finger = 'f6:1d:a7:1f:7e:12:10:40:75:d5:73:af:0c:be:7d:7c' +if os_version("debian >= stretch") { +# stretch's salt-minion uses SHA256 instead of MD5 by default. +# while it's possible to set 'hash_type: md5', this is preferrable +$master_finger = 'f6:36:06:73:ca:54:55:c4:68:17:66:13:47:4b:cf:3e:32:71:7a:70:2d:69:b4:e8:3b:f0:d0:ae:d0:4b:4c:f5' +} else { +$master_finger = 'f6:1d:a7:1f:7e:12:10:40:75:d5:73:af:0c:be:7d:7c' +} } $client_id = $::fqdn -- To view, visit https://gerrit.wikimedia.org/r/337189 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Id6315e6ca37234e4bd3c4728b25d35830ef94193 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits